Info

This document is part of an original submission for the RP2350 Hacking Challenge.

For more detailed and up-to-date content, refer to “Laser Fault Injection on a Budget: RP2350 Edition”.

Die Target Areas

Sensitive Surface

The effect of laser pulses has not been studied over the entire die surface area for the following reasons:

  • It’s a slow process; in the interest of time, I stopped as soon as I was able to disturb the ARM core execution flow.
  • I hit a couple of areas that resulted in a full crash of the system and high power consumption. Considering that preparing samples is a bit tedious, I would rather not damage parts this way.

The sensitive surfaces I exploited are roughly highlighted in this high-quality backside image shot by @LennertWo.

Rough location of the area that is usually targeted to inject faults

Rough location of the area that is usually targeted to inject faults

Beam Location for the First Secure Boot Bypass

The exact beam location used for the first secure boot bypass I obtained is displayed below. The laser is here pulsed at a low power to avoid blinding the camera.

Location of the first success

Laser beam position that led to the first secure boot bypass

The positioning repeatability of the Laser Fault Injection Platform isn’t great. Hence, while attempting to exploit the chip, I typically slowly move the beam around this location.

Last update: November 24, 2024